“On October 16, 2006, 13-year-old Megan Meier fled from her family's computer, distraught over the cutting comments of her supposed "friends" on MySpace. Twenty minutes later, the troubled teen was dead; she had hung herself in her closet.” … “The twist that Lori Drew, a 47-year-old neighbor and mother of a former friend of Megan's, had allegedly created the fake persona of a 16-year-old boy to befriend and later torment the girl brought outrage. Yet, state investigators could not find a law under which Drew could be charged.”

But now they’ve found a way and if it stands could seriously negatively affect the rest of us. All of us. Everyone online is turned into a potential felon HACKER. They’re trying to stretch the definition of "unauthorized access” to include violating of Terms of Service. I skimmed the ToSs posted by Google, Yahoo, Microsoft, MySpace, Facebook, AT&T, etc and the above items are just a small sampling of what few of us have read about the services we use online. If fact no one could probably even get online without agreeing to these ToSs and the many others like them.

I don’t know what to say here. This better not stand up and one would hope its dismissed quickly. Otherwise we all could be in big trouble if legal precedence is set.

10 comments:

Anonymous
said...

This only really applies to that one lady who caused that poor, innocent teenager to commit MySpace-suicide.

And Adrian Lamo.

And Kevin Mitnick.

And anybody else that the someone "doing the fed dance" decides that they stand to make more money or power by causing an otherwise nonpunishable offense to be pursued in criminal (instead of civil) court when the person is "obviously guilty, at the very least by association to something that probably should be a crime".

The chance of anyone who actually does any real damage via computer crime going to prison approaches zero faster and harsher during these quiet times. For example, people with JS-SQLi or Dowd-Flash web-worms.

This is more about the social psychology of risk than anything else. See Schneier on the "How to Sell Security"http://www.schneier.com/blog/archives/2008/05/how_to_sell_sec.html

This lady has about a 10% chance to win a federal case before she goes to prison and can try for another 10% again in 5-10. Also see: Kevin Mitnick.

If we're even 50% right about her actions being criminal, then that's good enough to make her wait in prison until we figure this out.

It's better to imprison 1 major Internet kingpin out of 33, then to let 32 out of 33 off-the-hook.

Thanks Jeremiah - yet another case where the government's inability to cope with technology advancements and "cybercrime" creates a situation where a mis-understood system is thrown into a "we need to fix the web with 1920's law!" tizzy. As long as we have government officials and Congressmen/women who believe the "Internet" is a series of tubes we're screwed.

That said, I am conflicted over the issue. If it can be proven that the intent of the accused was to influence the teen into committing suicide then punishment may be warranted. In the end, the teen *allowed* herself to be influenced by the MySpace posts which saddens me. Given more details about the case, I *may* be inclined to offer the prosecutor whatever 'juice' s/he needed to do their job.

On the other hand, from a purely defensive and perhaps paranoid infosec perspective, I also fear the repercussions of this. When an online form asks for my phone number in order to d/l a white paper or something, will I be breaking the law if I enter an invalid number?

On balance, I agree with you that this *could* be a dangerous precedent but I am not sure there are any easy answers here.

I think this is actually a positive example of creative prosecution. Why don't we let the courts decide if 18 USC 1030 applies to the Drew case? If not, we should urge our lawmakers to revamp or replace 1030, which is over two decades old.

The fact is, prosecutors don't set precident. Courts do. Let it play out.

@Cyberlocksmith, If I have my facts straight, I don't think Lori Drew is accused of having intentionally tried to get the teen to commit suicide.

@Anonymous1, you know this is a security blog right? I mean, we're paid to be paranoid here. And perhaps Im not up to speed on how the law works, but they are rarely changed, more often precedence drives the current interpretation.

This is so scary - I think everyone should keep a close eye on it. For anyone that thinks this is alarmist, you're just retarded. Gary McGraw talked about the legal uselessness of EULAs at OWASP Belgium regarding WoW hackers, but maybe TOS is different.

I also think that some of the top people in our space should volunteer their services as expert witnesses pro-bono.

Jeremiah, you're right that precedence (i.e. "case law") drives interpretation in absense of - and sometimes in presence of - good statutory law. All I'm saying is that the power of case law rests with the courts and not with the prosecutors. And we're talking about the Ninth Circuit here, so I wouldn't worry about it yet.

About Me

Jeremiah Grossman's career spans nearly 20 years and has lived a literal lifetime in computer security to become one of the industry's biggest names. He has received a number of industry awards, been publicly thanked by Microsoft, Mozilla, Google, Facebook, and many others for his security research. Jeremiah has written hundreds of articles and white papers. As an industry veteran, he has been featured in hundreds of media outlets around the world. Jeremiah has been a guest speaker on six continents at hundreds of events including many top universities. All of this was after Jeremiah served as an information security officer at Yahoo!